/**
 * 
 */
package com.dfhc.util;

import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;

import javax.servlet.http.HttpServletRequest;

/**
 * @author longsebo
 * Xss工具
 */
public class XssHelper {
	/**
	 * xss 关键字
	 */
	private static final String[] XSSKEYS={">","<","\"","#","(",")"};
	/**
	 * 检查请求数据，是否存在脚本攻击”关键字"
	 * @param request 请求参数
	 * @param ignoreParameters 忽略参数名。多个参数时，逗号分隔
	 * @throws Exception 
	 */
	public  static void check(HttpServletRequest request,String ignoreParameters) throws Exception{
		Enumeration names = request.getParameterNames();
		List<String> ignoreParameterList = null;
		
		String[] temp = StringHelper.splitString(ignoreParameters, ",");
		if(temp!=null){
			ignoreParameterList = ConvertHelper.toList(temp);
		}else{
			ignoreParameterList = new ArrayList<String>();
		}
		while(names.hasMoreElements()){
			String name = names.nextElement().toString();
			//是否忽略的参数
			if(!ignoreParameterList.contains(name)){
				String[] values=request.getParameterValues(name);
				for(String value:values){
					List<Object> retValue = StringHelper.findInStrArray(0, value, XSSKEYS);
					Integer pos = (Integer)retValue.get(0);
					if(pos>=0){
						throw new Exception("输入数据不允许出现>,<,\",#,(,)，可以使用中文对应字符替代!");
					}
				}
			}
		}
	}
}
